Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.edu.au!munnari.OZ.AU!spool.mu.edu!howland.erols.net!news.mathworks.com!news1.best.com!nntp1.ba.best.com!not-for-mail
From: dillon@flea.best.net (Matt Dillon)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: sudo vs. md5 passwords
Date: 2 Jun 1997 18:00:17 -0700
Organization: Best Internet Communications, Inc. - 415 964 BEST
Lines: 52
Message-ID: <5mvqb1$9gk$1@flea.best.net>
References: <fred-ya02408000R0106970949470001@news.lightside.com>
NNTP-Posting-Host: flea.best.net
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:42090
:In article <fred-ya02408000R0106970949470001@news.lightside.com>,
:Fred Condo <fred@lightside.net> wrote:
:>I just figured out a bug, or interaction, between sudo and a FreeBSD system
:>using strictly md5 passwords (no DES). This is under FreeBSD 2.1.7.
:>
:>We recently laid off an employee who had access to sudo, so we had to
:>change the password on several role accounts that employee used sudo from.
:>The old password was 8 characters long. The new password is 10 characters
:>long.
:>
:>After changing the password, sudo rejected the new password as being wrong.
:>Yet on another FreeBSD 2.1.7 system, it still worked. That system, however,
:>uses DES passwords because its password file was transferred from a legacy
:>system that used traditional password encryption. After poking around
:>aimlessly for a while, I realized that sudo must assume that passwords are
:>no more than 8 characters, which is the limit with traditional DES-based
:>passwords. The md5 passwords, I believe, can be up to 16 characters. So
:>when sudo encrypted the first 8 characters only of the password, its hash
:>did not match the hash in the password database.
:>
:>I reset the password for the account, truncating it at 8 characters, and
:>now sudo is happy.
:>
:>Hopefully this message will help someone who has run into this problem.
:>--
:>http://www.lightside.net/~fred/ + net access + http://www.lightside.net/
:>"Attempts to control the use of encryption technology are wrong in
:>principle, unworkable in practice, and damaging to the long term economic
:>value of the information networks." - UK Labour Party
I would recommend disabling sudo entirely... it really isn't all that
useful a program, and gives administrators a false sense of security.
We used sudo for about three months then scrapped it.
If you need to give employees root access, take the time to setup
a kerberos server and then use 'ksu'. It's much more secure and much
easier to manage since the crypted passwords only exist on the (secure)
kerberos server... not a single password, crypted or not, need exist
on any other machine other then the employee's personal workstation.
ssh is also useful as a replacement for the old .rhosts mechanism. I
especially like to use it from home when a telecommute not only for the
security and encrypted connection, but also because it has a wonderful
compression option (-C) that makes modem connections feel like local
network links when you are typing or doing things like 'ps axl', AND
ssh fully supports kerberos authentication as well as its standard
public/private key authentication.
The ssh/kerberos combination makes an awesome pair, IMHO.
-Matt